South African companies that provide products or services to European Union countries may be legally obliged to appoint an EU-based General Data Protection Regulation (GDPR) representative.

This was the word from Karl Blom, associate in the Technology, Media, Telecommunications and Intellectual Property Practice at Webber Wentzel, speaking yesterday at ITWeb's GDPR update.

Discussing what GDPR means for South African businesses and what they should be doing to comply, Blom highlighted the possibility that local businesses processing personal data in any EU country may be compelled to appoint an EU-based GDPR representative.

GDPR, which came into effect on 25 May, brings about the biggest global change in data privacy law in recent times, in which privacy rights in the EU have been significantly augmented, he explained.

The law will affect all South African businesses that process the personal information of individuals located in the EU. As a consequence, where South African businesses seek to advertise or make their services available in the EU, they will need to ensure they're able to comply with the obligations set out in the GDPR.

The law stipulates any legal person who resides in one of the EU member states should be appointed as a representative in the union for non-EU-based companies. The representative must have a personal residence in the EU.

"While some local organisations which have operations in the EU may be required to appoint a GDPR representative who is based in the EU, we are not yet sure of the practical guidelines and which organisations will be forced to comply with this aspect of the law," explained Blom.

He outlined the responsibilities of a GDPR representative.

"The main responsibility of the representative is to operate as the liaison between the data subjects and the supervisory authorities. Therefore, the representative acts on behalf of the controller/processor with regards to their obligations under the GDPR."

AggregateIQ court case

Blom made reference to the UK GDPR enforcement measure against embattled Canadian company AggregateIQ, which involves the UK Information Commissioner's Office (ICO) serving the data analytics firm with the first-ever formal notice under the GDPR.

In September, the ICO issued a notice to AggregateIQ, giving the company 30 days to "assess, audit, implement and document" its data processing practices or face the maximum GDPR fine of £17 million.

The ICO's notice lists a range of AggregateIQ's compliance breaches, including processing without a lawful basis and failing to provide transparency information to UK-based individuals, while the company worked in partnership with UK-based organisation Vote Leave.

AggregateIQ has challenged the notice, adding it is in full compliance within all legal and regulatory requirements of GDPR.

"AggregateIQ didn't have a GDPR representative based in the EU and in its argument, the company says it was not obliged to appoint one. Once this dispute has been settled, only then will we receive concrete guidance from the court as to which local organisations with operations in the EU are required to have a GDPR representative," continued Blom.

"But the rule of thumb is if you're doing large-scale process of EU data, and there is a high risk of any harm, such as a data breach, then we would typically recommend that local firms appoint an EU representative," he concluded.